Security threats damage more than infrastructure
By ALAN SEE,
Chief Executive Officer, e-Cop.net Surveillance Sdn Bhd
Date: December 11, 2003
Most local organisations do not consider enterprise security as part of their business priorities.
Organisations often keep conventional and obsolete infrastructure that is no longer suitable to protect against the ever-evolving security attacks.
One of the most common reasons given by chief information or technology officers is budget. Here’s another question – what exactly is preventing organisations from allocating larger amounts of money for enterprise security?
Lack of understanding
According to the Ernst and Young LLP Global Information Security Survey 2003, nearly 60% of organisations rarely or never calculated their return on investment for security spending.
In fact, most of them still do not appreciate that security breaches can cause devastating losses, not limited to mere equipment damage and software corruption.
Therefore most organisations would rather spend minimal amounts because they do not understand the repercussions of these threats to their businesses. This is also a result of the little knowledge they possess about emerging security trends and threats.
New threats, greater abilities
Security threats are developing just as every other evolving technology. Emerging threats exploit many areas of vulnerabilities. For example, viruses, worms and other security breaches such as spam, reconnaissance and Spyware, are some of the newer threats that are more complicated, harder to detect and remove than those in the past.
The capabilities of security threats in the past were limited – usually designed to destroy systems or data. Although they could propagate broadly, they still took time to travel across the world given that they often came in e-mail attachments. They needed users to click on the attachments in order to activate further propagation.
Unlike these, the latterday high-profile attacks like day-zero worms and viruses are more sophisticated in terms of architectures, spreading techniques and disruption methods.
Virus writers develop them by combining the most devastating characteristics of multiple worms, Trojans, malicious code and even some other viruses. The Slammer, Blaster and Sobig critical worms, for example, exploit software vulnerabilities to proliferate automatically, at faster speeds – leaving security experts very little time to work on the solutions.
As a matter of fact, today’s threats are diversifying their abilities, causing system or data destruction. The following illustrates some new-generation security breaches and their potential in causing different types of damage:
· Viruses and worms modify registries, clog networks and interrupt various computer systems
· Intruders steal confidential information such as credit card numbers, passwords and corporate databases using Spyware, a newly discovered Trojan horse
· Hackers exploit flaws in programming scripts (CGI, XML) and other web server weaknesses to deface and hijack websites
· Spam, the infamous denial of service, multiplies e-mail messages to congest servers
· Reconnaissance involves network port scanning to identify vulnerabilities. These loopholes serve as back doors for intruders to circumvent security mechanisms, and later plant malicious tools into network systems and endpoints to launch attacks or steal information
· In the case of more serious and co-ordinated attack, cyberterrorism is used to immobilise an institution or a country by launching simultaneous attacks on multiple targets
The above are just some examples of physical damage. Studying the attack pattern, these threats often target important components in an organisation such as databases, networks, servers and other mission-critical data or systems. Failure to protect these components will certainly bring more significant losses to an organisation.
More than infrastructure loss
Financial, business process and credibility damage are three major critical risks that could affect organisations badly in the aftermath of security attacks. These not only derive from infrastructure damage, but also from loss of vital information, which is the key to today’s business dynamics.
Quantitative measures are usually used to estimate the total loss subsequent to any security attack. Whether they involve infrastructure damage or information loss, they often involve hefty amounts of money that increase operating expenses.
For example, a statement from the National ICT Security and Emergency Response Centre (Niser) estimated that about RM31mil worth of losses accumulated from the cost of cleaning infected computers and networks after the Blaster attacks.
With the increasing security attacks that allow espionage or theft of a company’s intellectual property, organisations are exposed to major financial risks. Losing this property is comparable to losing tangible assets.
In fact, the combined cost of espionage in the United States is as high as US$300mil a year, according to a study conducted by the National Counter Intelligence Executive (NCIX).
In addition, security threats also enable intruders to conduct fraudulent business transactions and pass on false information. An intended attack usually causes organisations greater financial loss, especially when the intruder hacks into the system of a bank.
In the end, such misfortune will affect the bottom line because they are liabilities that increase an organisation’s operational costs and decrease total revenue. Such added expenditure would not be necessary if the organisation has adopted suitable preventive measures.
Business process damage
More and more organisations are operating in enterprise-wide mode. No doubt the convenience of Internet and online transactions allows effective and efficient interaction with customers, suppliers and the public.
However, if the organisation is prone to attack, thereafter spreading viruses that harm its business partners, there will be a greater loss of business opportunities.
Downtime and inability to continue mission-critical operations is another risk to business process. A survey result revealed by consulting giant PricewaterhouseCoopers indicated that security attacks resulted in an average downtime of 1.33 days per employee. Such events will definitely decelerate productivity and the growth of an organisation.
On a higher level of severity, security threats could also affect business continuity. This could happen if an organisation fails to restore its system and information, or is unable to cover the cost of disruption caused by massive attacks such as cyberterrorism.
Losing confidential agreements, disclosure of partners’ information or even transmitting inaccurate information through defaced websites are some potential ways in which security threats can destroy an organisation’s data integrity. This will subsequently ruin a company’s credibility and image.
The implementation of regulations such as the Personal Data Protection Bill will increase the public’s sensitivity and seriousness towards data integrity. Failure to ensure that confidential information is protected would be a violation of the law. In the end, the credibility does not matter, but compensation for others’ damages, loss of reputation and decline in brand equity will become greater issues to resolve.
All in all, having a non-secure working environment is as good as a vulnerability to an organisation.
Enterprise security should be considered as an element of business operation. It should not be treated as merely a small division within the IT department in view of the critical implications that unexpected security threats could bring.
With better understanding and knowledge of how security attacks can demolish an organisation, chief information and technology officers will be able to justify the value of the investment in enterprise security management.
^macro[showdigestcomments;^uri;Security threats damage more than infrastructure]